An alleged widespread data theft by Russian hackers is rekindling questions among security experts on how to police and disclose breaches—and how firms that discover such stolen material should behave.

Milwaukee Internet security firm Hold Security LLC said this week that a Russian hacking group had collected a staggering number of stolen records: 1.2 billion usernames and passwords allegedly taken. The company disclosed its findings...